From febb46b7020e1ad6f9eeb8ad39505c7426ff3035 Mon Sep 17 00:00:00 2001
From: Ioannis Kakavas <ikakavas@protonmail.com>
Date: Wed, 28 Mar 2018 13:43:29 +0300
Subject: [PATCH] [SAML] Saml metadata signing
 (elastic/x-pack-elasticsearch#4184)

Adds option to sign generated Service Provider SAML metadata
- Using a (possibly password protected) PEM encoded keypair
- Using a keypair stored in a (possibly password protected) PKCSelastic/x-pack-elasticsearch#12 keystore

Resolves elastic/x-pack-elasticsearch#3982


Original commit: elastic/x-pack-elasticsearch@7b806d76f82d55ce69854989551f27ac2b30e120
---
 .../xpack/core/ssl/CertUtils.java             |   3 +-
 .../authc/saml/SamlMetadataCommand.java       | 144 ++++++++-
 .../authc/saml/SamlMetadataCommandTests.java  | 276 ++++++++++++++++++
 .../xpack/security/authc/saml/saml.p12        | Bin 0 -> 2461 bytes
 .../authc/saml/saml_with_password.key         |  30 ++
 .../authc/saml/saml_with_password.p12         | Bin 0 -> 2461 bytes
 6 files changed, 448 insertions(+), 5 deletions(-)
 create mode 100644 plugin/security/src/test/resources/org/elasticsearch/xpack/security/authc/saml/saml.p12
 create mode 100644 plugin/security/src/test/resources/org/elasticsearch/xpack/security/authc/saml/saml_with_password.key
 create mode 100644 plugin/security/src/test/resources/org/elasticsearch/xpack/security/authc/saml/saml_with_password.p12

diff --git a/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertUtils.java b/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertUtils.java
index 4c42aa927cc..e1203a09ebb 100644
--- a/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertUtils.java
+++ b/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertUtils.java
@@ -396,7 +396,8 @@ public class CertUtils {
      * @param keyPassword A supplier for the password for each key. The key alias is supplied as an argument to the function, and it should
      *                    return the password for that key. If it returns {@code null}, then the key-pair for that alias is not read.
      */
-    static Map<Certificate, Key> readPkcs12KeyPairs(Path path, char[] password, Function<String, char[]> keyPassword, Environment env)
+    public static Map<Certificate, Key> readPkcs12KeyPairs(Path path, char[] password, Function<String, char[]> keyPassword, Environment
+            env)
             throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, UnrecoverableKeyException {
         final KeyStore store = readKeyStore(path, "PKCS12", password);
         final Enumeration<String> enumeration = store.aliases();
diff --git a/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommand.java b/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommand.java
index 8b3b13860ce..a123a0ab500 100644
--- a/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommand.java
+++ b/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommand.java
@@ -6,9 +6,17 @@
 package org.elasticsearch.xpack.security.authc.saml;
 
 import java.io.InputStream;
+import java.io.Reader;
 import java.io.Writer;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.security.Key;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Collections;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Locale;
@@ -16,6 +24,7 @@ import java.util.Map;
 import java.util.Set;
 import java.util.SortedSet;
 import java.util.TreeSet;
+import java.util.concurrent.atomic.AtomicReference;
 import java.util.stream.Collectors;
 
 import joptsimple.OptionParser;
@@ -28,6 +37,7 @@ import org.elasticsearch.cli.ExitCodes;
 import org.elasticsearch.cli.SuppressForbidden;
 import org.elasticsearch.cli.Terminal;
 import org.elasticsearch.cli.UserException;
+import org.elasticsearch.common.CheckedFunction;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.io.PathUtils;
 import org.elasticsearch.common.logging.Loggers;
@@ -38,10 +48,18 @@ import org.elasticsearch.env.Environment;
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
 import org.elasticsearch.xpack.core.security.authc.saml.SamlRealmSettings;
+import org.elasticsearch.xpack.core.ssl.CertUtils;
 import org.elasticsearch.xpack.security.authc.saml.SamlSpMetadataBuilder.ContactInfo;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
+import org.opensaml.core.xml.io.MarshallingException;
 import org.opensaml.saml.saml2.core.AuthnRequest;
 import org.opensaml.saml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml.saml2.metadata.impl.EntityDescriptorMarshaller;
+import org.opensaml.security.credential.Credential;
+import org.opensaml.security.x509.BasicX509Credential;
+import org.opensaml.xmlsec.signature.Signature;
+import org.opensaml.xmlsec.signature.support.SignatureConstants;
+import org.opensaml.xmlsec.signature.support.Signer;
 import org.w3c.dom.Element;
 import org.xml.sax.SAXException;
 
@@ -65,6 +83,10 @@ public class SamlMetadataCommand extends EnvironmentAwareCommand {
     private final OptionSpec<String> orgDisplayNameSpec;
     private final OptionSpec<String> orgUrlSpec;
     private final OptionSpec<Void> contactsSpec;
+    private final OptionSpec<String> signingPkcs12PathSpec;
+    private final OptionSpec<String> signingCertPathSpec;
+    private final OptionSpec<String> signingKeyPathSpec;
+    private final OptionSpec<String> keyPasswordSpec;
 
     public static void main(String[] args) throws Exception {
         new SamlMetadataCommand().main(args, Terminal.DEFAULT);
@@ -84,6 +106,18 @@ public class SamlMetadataCommand extends EnvironmentAwareCommand {
         orgUrlSpec = parser.accepts("organisation-url", "the URL of the organisation operating this service")
                 .requiredIf(orgNameSpec).withRequiredArg();
         contactsSpec = parser.accepts("contacts", "Include contact information in metadata").availableUnless(batchSpec);
+        signingPkcs12PathSpec = parser.accepts("signing-bundle", "path to an existing key pair (in PKCS#12 format) to be used for " +
+                "signing ")
+                .withRequiredArg();
+        signingCertPathSpec = parser.accepts("signing-cert", "path to an existing signing certificate")
+                .availableUnless(signingPkcs12PathSpec)
+                .withRequiredArg();
+        signingKeyPathSpec = parser.accepts("signing-key", "path to an existing signing private key")
+                .availableIf(signingCertPathSpec)
+                .requiredIf(signingCertPathSpec)
+                .withRequiredArg();
+        keyPasswordSpec = parser.accepts("signing-key-password", "password for an existing signing private key or keypair")
+                .withOptionalArg();
     }
 
     @Override
@@ -95,7 +129,9 @@ public class SamlMetadataCommand extends EnvironmentAwareCommand {
         SamlUtils.initialize(logger);
 
         final EntityDescriptor descriptor = buildEntityDescriptor(terminal, options, env);
-        final Path xml = writeOutput(terminal, options, descriptor);
+        Element element = possiblySignDescriptor(terminal, options, descriptor, env);
+
+        final Path xml = writeOutput(terminal, options, element);
         validateXml(terminal, xml);
     }
 
@@ -181,9 +217,42 @@ public class SamlMetadataCommand extends EnvironmentAwareCommand {
         return builder.build();
     }
 
-    private Path writeOutput(Terminal terminal, OptionSet options, EntityDescriptor descriptor) throws Exception {
-        final EntityDescriptorMarshaller marshaller = new EntityDescriptorMarshaller();
-        final Element element = marshaller.marshall(descriptor);
+    // package-protected for testing
+    Element possiblySignDescriptor(Terminal terminal, OptionSet options, EntityDescriptor descriptor, Environment env)
+            throws UserException {
+        try {
+            final EntityDescriptorMarshaller marshaller = new EntityDescriptorMarshaller();
+            if (options.has(signingPkcs12PathSpec) || (options.has(signingCertPathSpec) && options.has(signingKeyPathSpec))) {
+                Signature signature = (Signature) XMLObjectProviderRegistrySupport.getBuilderFactory()
+                        .getBuilder(Signature.DEFAULT_ELEMENT_NAME)
+                        .buildObject(Signature.DEFAULT_ELEMENT_NAME);
+                signature.setSigningCredential(buildSigningCredential(terminal, options, env));
+                signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
+                signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+                descriptor.setSignature(signature);
+                Element element = marshaller.marshall(descriptor);
+                Signer.signObject(signature);
+                return element;
+            } else {
+                return marshaller.marshall(descriptor);
+            }
+        } catch (Exception e) {
+            String errorMessage;
+            if (e instanceof MarshallingException) {
+                errorMessage = "Error serializing Metadata to file";
+            } else if (e instanceof org.opensaml.xmlsec.signature.support.SignatureException) {
+                errorMessage = "Error attempting to sign Metadata";
+            } else {
+                errorMessage = "Error building signing credentials from provided keyPair";
+            }
+            terminal.println(Terminal.Verbosity.SILENT, errorMessage);
+            terminal.println("The following errors were found:");
+            printExceptions(terminal, e);
+            throw new UserException(ExitCodes.CANT_CREATE, "Unable to create metadata document");
+        }
+    }
+
+    private Path writeOutput(Terminal terminal, OptionSet options, Element element) throws Exception {
         final Path outputFile = resolvePath(option(outputPathSpec, options, "saml-elasticsearch-metadata.xml"));
         final Writer writer = Files.newBufferedWriter(outputFile);
         SamlUtils.print(element, writer, true);
@@ -191,7 +260,74 @@ public class SamlMetadataCommand extends EnvironmentAwareCommand {
         return outputFile;
     }
 
+    private Credential buildSigningCredential(Terminal terminal, OptionSet options, Environment env) throws
+            Exception {
+        X509Certificate signingCertificate;
+        PrivateKey signingKey;
+        char[] password = getChars(keyPasswordSpec.value(options));
+        if (options.has(signingPkcs12PathSpec)) {
+            Path p12Path = resolvePath(signingPkcs12PathSpec.value(options));
+            Map<Certificate, Key> keys = withPassword("certificate bundle (" + p12Path + ")", password,
+                    terminal, keyPassword -> CertUtils.readPkcs12KeyPairs(p12Path, keyPassword, a -> keyPassword, env));
 
+            if (keys.size() != 1) {
+                throw new IllegalArgumentException("expected a single key in file [" + p12Path.toAbsolutePath() + "] but found [" +
+                        keys.size() + "]");
+            }
+            final Map.Entry<Certificate, Key> pair = keys.entrySet().iterator().next();
+            signingCertificate = (X509Certificate) pair.getKey();
+            signingKey = (PrivateKey) pair.getValue();
+        } else {
+            Path cert = resolvePath(signingCertPathSpec.value(options));
+            Path key = resolvePath(signingKeyPathSpec.value(options));
+            final String resolvedSigningCertPath = cert.toAbsolutePath().toString();
+            Certificate[] certificates = CertUtils.readCertificates(Collections.singletonList(resolvedSigningCertPath), env);
+            if (certificates.length != 1) {
+                throw new IllegalArgumentException("expected a single certificate in file [" + resolvedSigningCertPath + "] but found [" +
+                        certificates.length + "]");
+            }
+            signingCertificate = (X509Certificate) certificates[0];
+            signingKey = readSigningKey(key, password, terminal);
+        }
+        return new BasicX509Credential(signingCertificate, signingKey);
+    }
+
+    private static <T, E extends Exception> T withPassword(String description, char[] password, Terminal terminal,
+                                                           CheckedFunction<char[], T, E> body) throws E {
+        if (password == null) {
+            char[] promptedValue = terminal.readSecret("Enter password for " + description + " : ");
+            try {
+                return body.apply(promptedValue);
+            } finally {
+                Arrays.fill(promptedValue, (char) 0);
+            }
+        } else {
+            return body.apply(password);
+        }
+    }
+
+    private static char[] getChars(String password) {
+        return password == null ? null : password.toCharArray();
+    }
+
+    private static PrivateKey readSigningKey(Path path, char[] password, Terminal terminal)
+            throws Exception {
+        AtomicReference<char[]> passwordReference = new AtomicReference<>(password);
+        try (Reader reader = Files.newBufferedReader(path, StandardCharsets.UTF_8)) {
+            return CertUtils.readPrivateKey(reader, () -> {
+                if (password != null) {
+                    return password;
+                }
+                char[] promptedValue = terminal.readSecret("Enter password for the signing key (" + path.getFileName() + ") : ");
+                passwordReference.set(promptedValue);
+                return promptedValue;
+            });
+        } finally {
+            if (passwordReference.get() != null) {
+                Arrays.fill(passwordReference.get(), (char) 0);
+            }
+        }
+    }
     private void validateXml(Terminal terminal, Path xml) throws Exception {
         try (InputStream xmlInput = Files.newInputStream(xml)) {
             SamlUtils.validate(xmlInput, METADATA_SCHEMA);
diff --git a/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java b/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java
index b8343062144..c03b095bd2d 100644
--- a/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java
+++ b/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java
@@ -18,12 +18,22 @@ import org.opensaml.saml.common.xml.SAMLConstants;
 import org.opensaml.saml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml.saml2.metadata.RequestedAttribute;
 import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
+import org.opensaml.security.credential.Credential;
 import org.opensaml.security.credential.UsageType;
+import org.opensaml.security.x509.BasicX509Credential;
 import org.opensaml.xmlsec.keyinfo.KeyInfoSupport;
+import org.opensaml.xmlsec.signature.Signature;
 import org.opensaml.xmlsec.signature.X509Certificate;
 import org.opensaml.xmlsec.signature.X509Data;
+import org.opensaml.xmlsec.signature.support.SignatureValidator;
+import org.w3c.dom.Element;
 
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 import java.nio.file.Path;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
 import java.util.Collections;
 import java.util.List;
 
@@ -267,4 +277,270 @@ public class SamlMetadataCommandTests extends SamlTestCase {
         assertThat(attributes.get(1).getFriendlyName(), equalTo("principal"));
         assertThat(attributes.get(1).getName(), equalTo("urn:oid:0.9.2342.19200300.100.1.1"));
     }
+
+    public void testSigningMetadataWithPfx() throws Exception {
+        final Path certPath = getDataPath("saml.crt");
+        final Path keyPath = getDataPath("saml.key");
+        final Path p12Path = getDataPath("saml.p12");
+        final SamlMetadataCommand command = new SamlMetadataCommand();
+        final OptionSet options = command.getParser().parse(new String[]{
+                "-signing-bundle", p12Path.toString()
+        });
+
+        final boolean useSigningCredentials = randomBoolean();
+        final Settings.Builder settingsBuilder = Settings.builder()
+                .put("path.home", createTempDir())
+                .put(RealmSettings.PREFIX + "my_saml.type", "saml")
+                .put(RealmSettings.PREFIX + "my_saml.order", 1)
+                .put(RealmSettings.PREFIX + "my_saml.idp.entity_id", "https://okta.my.corp/")
+                .put(RealmSettings.PREFIX + "my_saml.sp.entity_id", "https://kibana.my.corp/")
+                .put(RealmSettings.PREFIX + "my_saml.sp.acs", "https://kibana.my.corp/saml/login")
+                .put(RealmSettings.PREFIX + "my_saml.sp.logout", "https://kibana.my.corp/saml/logout")
+                .put(RealmSettings.PREFIX + "my_saml.attributes.principal", "urn:oid:0.9.2342.19200300.100.1.1");
+        if (useSigningCredentials) {
+            settingsBuilder.put(RealmSettings.PREFIX + "my_saml.signing.certificate", certPath.toString())
+                    .put(RealmSettings.PREFIX + "my_saml.signing.key", keyPath.toString());
+        }
+        final Settings settings = settingsBuilder.build();
+        final Environment env = TestEnvironment.newEnvironment(settings);
+
+        final MockTerminal terminal = new MockTerminal();
+
+        // What is the friendly name for "principal" attribute "urn:oid:0.9.2342.19200300.100.1.1" [default: principal]
+        terminal.addTextInput("");
+        terminal.addSecretInput("");
+
+        final EntityDescriptor descriptor = command.buildEntityDescriptor(terminal, options, env);
+        command.possiblySignDescriptor(terminal, options, descriptor, env);
+        assertThat(descriptor, notNullValue());
+        // Verify generated signature
+        assertThat(descriptor.getSignature(), notNullValue());
+        assertThat(validateSignature(descriptor.getSignature()), equalTo(true));
+        // Make sure that Signing didn't mangle the XML at all and we can still read metadata
+        assertThat(descriptor.getEntityID(), equalTo("https://kibana.my.corp/"));
+
+        assertThat(descriptor.getRoleDescriptors(), iterableWithSize(1));
+        assertThat(descriptor.getRoleDescriptors().get(0), instanceOf(SPSSODescriptor.class));
+        final SPSSODescriptor spDescriptor = (SPSSODescriptor) descriptor.getRoleDescriptors().get(0);
+
+        assertThat(spDescriptor.getAssertionConsumerServices(), iterableWithSize(1));
+        assertThat(spDescriptor.getAssertionConsumerServices().get(0).getLocation(), equalTo("https://kibana.my.corp/saml/login"));
+        assertThat(spDescriptor.getAssertionConsumerServices().get(0).isDefault(), equalTo(true));
+        assertThat(spDescriptor.getAssertionConsumerServices().get(0).getIndex(), equalTo(1));
+        assertThat(spDescriptor.getAssertionConsumerServices().get(0).getBinding(), equalTo(SAMLConstants.SAML2_POST_BINDING_URI));
+
+        final RequestedAttribute uidAttribute = spDescriptor.getAttributeConsumingServices().get(0).getRequestAttributes().get(0);
+        assertThat(uidAttribute.getName(), equalTo("urn:oid:0.9.2342.19200300.100.1.1"));
+        assertThat(uidAttribute.getFriendlyName(), equalTo("principal"));
+
+        assertThat(spDescriptor.isAuthnRequestsSigned(), equalTo(useSigningCredentials));
+        assertThat(spDescriptor.getWantAssertionsSigned(), equalTo(true));
+    }
+
+    public void testSigningMetadataWithPasswordProtectedPfx() throws Exception {
+        final Path certPath = getDataPath("saml.crt");
+        final Path keyPath = getDataPath("saml.key");
+        final Path p12Path = getDataPath("saml_with_password.p12");
+        final SamlMetadataCommand command = new SamlMetadataCommand();
+        final OptionSet options = command.getParser().parse(new String[]{
+                "-signing-bundle", p12Path.toString(),
+                "-signing-key-password", "saml"
+        });
+
+        final boolean useSigningCredentials = randomBoolean();
+        final Settings.Builder settingsBuilder = Settings.builder()
+                .put("path.home", createTempDir())
+                .put(RealmSettings.PREFIX + "my_saml.type", "saml")
+                .put(RealmSettings.PREFIX + "my_saml.order", 1)
+                .put(RealmSettings.PREFIX + "my_saml.idp.entity_id", "https://okta.my.corp/")
+                .put(RealmSettings.PREFIX + "my_saml.sp.entity_id", "https://kibana.my.corp/")
+                .put(RealmSettings.PREFIX + "my_saml.sp.acs", "https://kibana.my.corp/saml/login")
+                .put(RealmSettings.PREFIX + "my_saml.sp.logout", "https://kibana.my.corp/saml/logout");
+        if (useSigningCredentials) {
+            settingsBuilder.put(RealmSettings.PREFIX + "my_saml.signing.certificate", certPath.toString())
+                    .put(RealmSettings.PREFIX + "my_saml.signing.key", keyPath.toString());
+        }
+        final Settings settings = settingsBuilder.build();
+        final Environment env = TestEnvironment.newEnvironment(settings);
+
+        final MockTerminal terminal = new MockTerminal();
+
+        final EntityDescriptor descriptor = command.buildEntityDescriptor(terminal, options, env);
+        Element e = command.possiblySignDescriptor(terminal, options, descriptor, env);
+        String a = SamlUtils.toString(e);
+        assertThat(descriptor, notNullValue());
+        // Verify generated signature
+        assertThat(descriptor.getSignature(), notNullValue());
+        assertThat(validateSignature(descriptor.getSignature()), equalTo(true));
+    }
+
+    public void testErrorSigningMetadataWithWrongPassword() throws Exception {
+        final Path certPath = getDataPath("saml.crt");
+        final Path keyPath = getDataPath("saml.key");
+        final Path p12Path = getDataPath("saml_with_password.p12");
+        final SamlMetadataCommand command = new SamlMetadataCommand();
+        final OptionSet options = command.getParser().parse(new String[]{
+                "-signing-bundle", p12Path.toString(),
+                "-signing-key-password", "wrong_password"
+        });
+
+        final boolean useSigningCredentials = randomBoolean();
+        final Settings.Builder settingsBuilder = Settings.builder()
+                .put("path.home", createTempDir())
+                .put(RealmSettings.PREFIX + "my_saml.type", "saml")
+                .put(RealmSettings.PREFIX + "my_saml.order", 1)
+                .put(RealmSettings.PREFIX + "my_saml.idp.entity_id", "https://okta.my.corp/")
+                .put(RealmSettings.PREFIX + "my_saml.sp.entity_id", "https://kibana.my.corp/")
+                .put(RealmSettings.PREFIX + "my_saml.sp.acs", "https://kibana.my.corp/saml/login")
+                .put(RealmSettings.PREFIX + "my_saml.sp.logout", "https://kibana.my.corp/saml/logout");
+        if (useSigningCredentials) {
+            settingsBuilder.put(RealmSettings.PREFIX + "my_saml.signing.certificate", certPath.toString())
+                    .put(RealmSettings.PREFIX + "my_saml.signing.key", keyPath.toString());
+        }
+        final Settings settings = settingsBuilder.build();
+        final Environment env = TestEnvironment.newEnvironment(settings);
+
+        final MockTerminal terminal = new MockTerminal();
+
+        final EntityDescriptor descriptor = command.buildEntityDescriptor(terminal, options, env);
+        final UserException userException = expectThrows(UserException.class, () -> command.possiblySignDescriptor(terminal, options,
+                descriptor, env));
+        assertThat(userException.getMessage(), containsString("Unable to create metadata document"));
+        assertThat(terminal.getOutput(), containsString("keystore password was incorrect"));
+    }
+
+    public void testSigningMetadataWithPem() throws Exception {
+        //Use this keypair for signing the metadata also
+        final Path certPath = getDataPath("saml.crt");
+        final Path keyPath = getDataPath("saml.key");
+
+        final SamlMetadataCommand command = new SamlMetadataCommand();
+        final OptionSet options = command.getParser().parse(new String[]{
+                "-signing-cert", certPath.toString(),
+                "-signing-key", keyPath.toString()
+        });
+
+        final boolean useSigningCredentials = randomBoolean();
+        final Settings.Builder settingsBuilder = Settings.builder()
+                .put("path.home", createTempDir())
+                .put(RealmSettings.PREFIX + "my_saml.type", "saml")
+                .put(RealmSettings.PREFIX + "my_saml.order", 1)
+                .put(RealmSettings.PREFIX + "my_saml.idp.entity_id", "https://okta.my.corp/")
+                .put(RealmSettings.PREFIX + "my_saml.sp.entity_id", "https://kibana.my.corp/")
+                .put(RealmSettings.PREFIX + "my_saml.sp.acs", "https://kibana.my.corp/saml/login")
+                .put(RealmSettings.PREFIX + "my_saml.sp.logout", "https://kibana.my.corp/saml/logout");
+        if (useSigningCredentials) {
+            settingsBuilder.put(RealmSettings.PREFIX + "my_saml.signing.certificate", certPath.toString())
+                    .put(RealmSettings.PREFIX + "my_saml.signing.key", keyPath.toString());
+        }
+        final Settings settings = settingsBuilder.build();
+        final Environment env = TestEnvironment.newEnvironment(settings);
+
+        final MockTerminal terminal = new MockTerminal();
+
+        final EntityDescriptor descriptor = command.buildEntityDescriptor(terminal, options, env);
+        command.possiblySignDescriptor(terminal, options, descriptor, env);
+        assertThat(descriptor, notNullValue());
+        // Verify generated signature
+        assertThat(descriptor.getSignature(), notNullValue());
+        assertThat(validateSignature(descriptor.getSignature()), equalTo(true));
+    }
+
+    public void testSigningMetadataWithPasswordProtectedPem() throws Exception {
+        //Use same keypair for signing the metadata
+        final Path signingKeyPath = getDataPath("saml_with_password.key");
+
+        final Path certPath = getDataPath("saml.crt");
+        final Path keyPath = getDataPath("saml.key");
+
+        final SamlMetadataCommand command = new SamlMetadataCommand();
+        final OptionSet options = command.getParser().parse(new String[]{
+                "-signing-cert", certPath.toString(),
+                "-signing-key", signingKeyPath.toString(),
+                "-signing-key-password", "saml"
+
+        });
+
+        final boolean useSigningCredentials = randomBoolean();
+        final Settings.Builder settingsBuilder = Settings.builder()
+                .put("path.home", createTempDir())
+                .put(RealmSettings.PREFIX + "my_saml.type", "saml")
+                .put(RealmSettings.PREFIX + "my_saml.order", 1)
+                .put(RealmSettings.PREFIX + "my_saml.idp.entity_id", "https://okta.my.corp/")
+                .put(RealmSettings.PREFIX + "my_saml.sp.entity_id", "https://kibana.my.corp/")
+                .put(RealmSettings.PREFIX + "my_saml.sp.acs", "https://kibana.my.corp/saml/login")
+                .put(RealmSettings.PREFIX + "my_saml.sp.logout", "https://kibana.my.corp/saml/logout");
+        if (useSigningCredentials) {
+            settingsBuilder.put(RealmSettings.PREFIX + "my_saml.signing.certificate", certPath.toString())
+                    .put(RealmSettings.PREFIX + "my_saml.signing.key", keyPath.toString());
+        }
+        final Settings settings = settingsBuilder.build();
+        final Environment env = TestEnvironment.newEnvironment(settings);
+
+        final MockTerminal terminal = new MockTerminal();
+
+        final EntityDescriptor descriptor = command.buildEntityDescriptor(terminal, options, env);
+        command.possiblySignDescriptor(terminal, options, descriptor, env);
+        assertThat(descriptor, notNullValue());
+        // Verify generated signature
+        assertThat(descriptor.getSignature(), notNullValue());
+        assertThat(validateSignature(descriptor.getSignature()), equalTo(true));
+    }
+
+    public void testSigningMetadataWithPasswordProtectedPemInTerminal() throws Exception {
+        //Use same keypair for signing the metadata
+        final Path signingKeyPath = getDataPath("saml_with_password.key");
+
+        final Path certPath = getDataPath("saml.crt");
+        final Path keyPath = getDataPath("saml.key");
+
+        final SamlMetadataCommand command = new SamlMetadataCommand();
+        final OptionSet options = command.getParser().parse(new String[]{
+                "-signing-cert", certPath.toString(),
+                "-signing-key", signingKeyPath.toString()
+
+        });
+
+        final boolean useSigningCredentials = randomBoolean();
+        final Settings.Builder settingsBuilder = Settings.builder()
+                .put("path.home", createTempDir())
+                .put(RealmSettings.PREFIX + "my_saml.type", "saml")
+                .put(RealmSettings.PREFIX + "my_saml.order", 1)
+                .put(RealmSettings.PREFIX + "my_saml.idp.entity_id", "https://okta.my.corp/")
+                .put(RealmSettings.PREFIX + "my_saml.sp.entity_id", "https://kibana.my.corp/")
+                .put(RealmSettings.PREFIX + "my_saml.sp.acs", "https://kibana.my.corp/saml/login")
+                .put(RealmSettings.PREFIX + "my_saml.sp.logout", "https://kibana.my.corp/saml/logout");
+        if (useSigningCredentials) {
+            settingsBuilder.put(RealmSettings.PREFIX + "my_saml.signing.certificate", certPath.toString())
+                    .put(RealmSettings.PREFIX + "my_saml.signing.key", keyPath.toString());
+        }
+        final Settings settings = settingsBuilder.build();
+        final Environment env = TestEnvironment.newEnvironment(settings);
+
+        final MockTerminal terminal = new MockTerminal();
+
+        terminal.addSecretInput("saml");
+
+        final EntityDescriptor descriptor = command.buildEntityDescriptor(terminal, options, env);
+        command.possiblySignDescriptor(terminal, options, descriptor, env);
+        assertThat(descriptor, notNullValue());
+        // Verify generated signature
+        assertThat(descriptor.getSignature(), notNullValue());
+        assertThat(validateSignature(descriptor.getSignature()), equalTo(true));
+    }
+
+    private boolean validateSignature(Signature signature) {
+        try {
+            Certificate[] certificates = CertUtils.readCertificates(Collections.singletonList(getDataPath("saml.crt").toString()), null);
+            PrivateKey key = CertUtils.readPrivateKey(Files.newBufferedReader(getDataPath("saml.key"), StandardCharsets.UTF_8),
+                    ""::toCharArray);
+            Credential verificationCredential = new BasicX509Credential((java.security.cert.X509Certificate) certificates[0], key);
+            SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
+            profileValidator.validate(signature);
+            SignatureValidator.validate(signature, verificationCredential);
+            return true;
+        } catch (Exception e) {
+            return false;
+        }
+    }
 }
\ No newline at end of file
diff --git a/plugin/security/src/test/resources/org/elasticsearch/xpack/security/authc/saml/saml.p12 b/plugin/security/src/test/resources/org/elasticsearch/xpack/security/authc/saml/saml.p12
new file mode 100644
index 0000000000000000000000000000000000000000..be2e45d1074aa19f681c701091031e76a8e69ef8
GIT binary patch
literal 2461
zcmY+EXHXLe8iq-Qgor2s2}q=OFrg!;lw}FQ1w)Z~#sle9I#P`+7<!QelqxJeh@dW@
zKtL7{2wl1qDTXegvjXSN+}+;&_~x5=-kJB``(Q}0Y#;!HA;E}Hm~1RA_TU_V9Z*1m
z-3F6jw|-z8h6FnMJAxLFK;M3#bs&K4$6NY40bnje;s0(x0H7EyFo%*kzaiE$G7$*m
zV2dV!>g|$N{2iRVOZr&>0O9Fzts*Ft3NNYa2_2WR{$u38S^N5Oo%%#Qjc}TY<NXTF
z@LknvwF|Q~sC}|qTeSfX2DfxloSOm3M`6la-^VVlE9PmYFWww9Jbu;rEIPq@?C$p6
z(H>O7LgBk!h1AZfmwoKoZRls5w87Kq^9jovQ+;|an+0jiLsMK$94zPi%$HU(m!);a
z@tr<ez4=Mr$hF9;D>0cSs+}kkyg@x1&a*Z)RHH1&M-X6(T;+<AAq!b>$9CAc_Xj7v
z>mBVMG&{E{U)dzk@f6w#-xIO*XGUVU2IY2!l?v*Guzl@|sbRJfeRtzb{lsdqPx_T|
zGX5~n&#vroR|{bDJh3s})fl2zoVX!-9wz%#jqG~>WWY&PAPo`3V1~7q&#EkhCaW}d
z0YwcQexPT6qqm+&c#E7$9WkYw*Cv5F2Z$O9EFI69D^fbDO`XBNrnuduQSJ9{;U862
zI+SNpLt}>Tpjs5%>-NKuCIgwe&CjY0l2B(>`bW_2QNp?AYeM#|?cfrTv^q`7yGu<+
z+=NLEG`P~F86XT|s9vbwm}wCGr`Lf%;%rb*c_4z=efl2Xw|cRt1+g;Y*!7&HBtM=U
z*JoNBaWIh^t~`=UJGgTDz1I2XhdLF}f@j<jd7G8$IYoz^+Ui6Df$s{$7lfuT4`8)-
zIjfH@BdbX{poI3w&S@F+^jXD+_Kv5ojSXY1?5hfUwb8BknEUU8Eh8VqJGynOuaYZr
znjxbWR)cDimZpZj`T<FGcs~cGUS^yeLQ7t~K+?;~NfsxA%d}8Ga{9bzyYyD0r+VqJ
zI~bqWQuYhsQ80Bb(&d<Qb2C>Il|G1|r_QgjuO{F7oIocOBSre7w~gT%;r4~8<1FtR
zn$lj7xH+XiHMqv(RVt**0`B+oi~q9rlE=o9`0n1;sP1zG1xLk-oheZRQ-ur$7KuK3
zDm3DwO9*n+x+xpJMvIa#_(GeV)oif-;(&G#XYd&X80UO?>p~Ks)}9+GIpbsC2R?Ki
z?B68>tB5m{j}b4~O(<mTgnV5`JH0vCPlfdoe2y52Qc05!%BgIeQsF>aLulF{<po4U
ztG7tl`O=fU(B*ZX{;=%Qj^4xs`6KxT0CsR@X8&P^nK2lJK&J@k%wsm|uj-!;=637y
zcb;UUUROx;@x*G}PxRP)AniCBvwq%v$?egF;`0qxec(lOnPfTPJJH$;t}bd<B!G|K
z1OIe(+9pl6ns;}6WQDq%ieN|(-TxVS0STf6CP5T`VA&rh3FZ9H?BM`l0SUZ`A%R!_
z&jz5sY>*nRyF6wz!2g#Gz$9>&<a3VXKOfk3f9{QeH<erRK1f>F81l`W@Bn`c5!*6e
zN<B;GDVw0hRB9uX&Tj5TX|8%Uwg<o6u0>*TZ}hIqP{|ZdYFjyDo$Z2qTW*L@gaD$?
z`lCej4zEGSm+-m0?VTB_|1|B9@U92ndyDcGF-O*JSv8unhc;`aG?&Rg&#-72y0V7k
z>~{6PZpft{9#tP=nPR+@b+YU!x??pZN;b|pN`v>;5Zgc5*nJ0<GnPfwj!r{r+1z40
zG;5PhjAph@S9quApaWi6a!Ts6TWah2Ib)xNluc45-1+CU2y5APdbZexPw|}0KoGw4
zXxc9im)a2IMOJ3q`PpYiX;Mk#(yZpitYe&3$qAY%A71R>MKB?IZ@LF!%Ch1Z-s+VL
zaj|4^R?H_#zEkj4E*o~bXnd%V=W!IM#=G@aNQVwLVAFLwqC-2YxDKNXs~1c4)+6Wl
z!ai9<axbaeaGB6=>#ohOU`g*8Ps#82C5Tny5;CQHD6Hl83DH-XTgiN{%%w_sGh~^%
zMwF2KoBD+W$2N2kNP5AStzapQ^;_1;%iPH3mUW`x>)CG)!{LglXDaI@IQXjkebT*5
z9R)>50sN2MXnRS+pw49()XLBsYN()em5>d;<LdOW)In?nkAMZ|iz-c>0t=@Wi!n9_
zWXL*-8#{B93lNRec3m!{55;C>8(-^3RBO_sV=8akhJOpQoD;SK3(DBS@=L}?^wHjp
zg2Z!KHSvvN@yVXSVGGnrv8)##o-Cx4OHckZ69||;X%+<&Ti+BKoV_`bE!$6frT_-r
zn4ycPu|a$2zp+Wt8A5Z#)B%<Yba#P$O*OG_F|+i>Xa>D6FfcxWxfV^=!B0g-2K+jG
zo}>y|J{!3-5C{6l{;k)h(`4G-6f%78VRreX{b*7!@bne@n3NL1MA!tI<z3crlDu~2
z7&{MZa$@dy1PI#Cn*@l4e4g^yowa;Pu%j?5!RBN?GTYb95WH8C@sg|RJOZ+~;U1uV
zkMs4<mKOX9j!qlCpS3NbEk;djdqZ!NvwwHR!y@YH6fg9AX;n*~(x|fK<??r9=U)^5
z#dqWt4<MeV`?X!`S`Ut(B0Y4t<{!1ho6<G;p}4n#z%bv<0upbn>f<W}5X&0=TgR8X
zNMNK<y0yIau;a(E`mZsB{@d!lLCeFO$l1Gzup7)sA>UYfkrc<HbJf{Rs*?V7rRQHg
zMIj~4_7<IsgcjW-`jw;NuiHzA%eFBTU?X+;>k$4@GiAu{dD85aLRj^Kp|SkQepIZ$
z*BE@JnVgAFH_Pw3<v(A8aiTShR55ac6#t>a)|uSPwLI>d?6zP_*wmbBm@eQON03<4
zae9T~Yxc&I=_ji->(2M^i|kM%6$}N<n&+WS<(F+;{%*uY91xZ(yAqUruiaCv)Tg8r
zKvYZ=zX5#=PvA$-7}*6i!q~%+YrX_^C%{%o5Wh}nxlU_;<Wr&F8A01y!d!-=@F7h=
zF`r8O$22i(5Mc1vBJ-jv11ar?)Qd$dqv^|5K&Dx9*DXJ-K~@*XnF5Beadg;pJW2CI
zc?l!Y3Y6q_=jJT$1LY&gQ))1uP{^h>8dzc27V;Alm7d|_wD&?+7%PDh`>!2gyjVUk
za^;RUQ83o;C;nkxhL(Y*QX_{=CI*WU!N8ypIW7=T0Kx`F#&g95bl9+a<Kpv4*D6mu
W_8N`zz#PwfF0>Uu!Y2N*<i7wE5{Q8S

literal 0
HcmV?d00001

diff --git a/plugin/security/src/test/resources/org/elasticsearch/xpack/security/authc/saml/saml_with_password.key b/plugin/security/src/test/resources/org/elasticsearch/xpack/security/authc/saml/saml_with_password.key
new file mode 100644
index 00000000000..cc9a4fba426
--- /dev/null
+++ b/plugin/security/src/test/resources/org/elasticsearch/xpack/security/authc/saml/saml_with_password.key
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,E5CF40A599E7BBB7
+
+TnxQWgs1sKEW5OIFMWQS/Iyqz25nIf7321MiEa/Z8lakv2bh8MBJCIp7r3pN4viJ
+K5bMJMIsjqUdolcvbuPXgtA6uuhnf/X4o7sU/fZhsgOiBkoj3r2pWOpHHx+am3G7
+uzrVlDgc36X5lVRUZLdnIeT3aLAk8+ObXF624TxISCUPZluGC0NwJlNZ5yxIeSTv
+47hd1OVfdKH+IYoa8Illt10njcl398z5AUWiX+j6ozlJnnufi0kRdQJ3Da0q5rUg
+IlUpqNmPwG2tl8Ys1tNaU8fpf22rLDo7S2P4S+SxzMvDYXFr/VDy4nFtWDuP6hTQ
+VA51txLKOR0+FhZNOUOZH6YjFv4LOUS3/doonPrp/7z4C6cnf3MECtnhOG2zVcBX
+FKCg7iKBmml92tOsCIAXCjUlpTHQniNqxNtOiWySlt/83XPLPQSpeNuSismWSHlN
+lVUGkcysjEaZu86DVc6NN91s7oG0x/R0UKU17NUZFtCaYCXYtdtRlpgpmMOD8KFp
+3NdZUFPQ0zetXqS/skdg1tKd49amKO7Qj+V9nWMzFnwPTM+LD3hV4Ehb2D41nTxz
+b0UFNb/vcYUZzP6+OvgrSyhH9f7pYmyt+Ky80wJ1eOB1ZRReo0iXYPZZo4G8spJy
+SHc18HswxU+ICMB77tHHDIJXnGQr9yTDYph3ZEs4m/NIP91f0XjeexsRcSDrKImD
++UY6cY8a76HOT70Wl+Na0ZCKE9BkpWLgbkZbH9arhIbW12wSdvO6oPGFU9FOVL2V
+L0RMGSYQPowXyktBer+b1ZPrijOYWLqkn/S5prOjCjD/qxnWts9DGeNixrw3F7HY
+yEUbl3amc1/Zxi60CsNHmV6wvQIzoz3Pz+U6foIeJxLj5glFQiA1Yhivd1YGWeFk
+t3uqNGRe6C6sNzpF4LCKpxnEbZdAM6QzcmHIAcfINuc00zNjV6B3o1L91wXO/bd/
+VJ4zCcO0UxipLhaiXvMpjMOW3uJri5nlm1cWnGWH3M20l7hLQ4sUw0IUh9wA412K
+6muTqlvwYQtYwwG0nz99bnKwHIO01vbAQACYk13j37wUsG57DFygxs+fcITV0AfB
+PKwAKISmlr45PztXybEXg92mzkBsdXFMhpHeDhYDeC3g7DGXI5cEqbiATu8Gvsy2
+F4ylZMl2gHG4/2GSjEdHLv2uXPmZYFFeoJY+9GdNS6yz0ncn9yahG57OawbXR/fS
+NPfLyDg8C+fRC2O0TI4/a51sXy2bEE0NBRdrY1VZp9sc4nsRvUdvxvdd++R+PeNt
+oAqRHqTTksRJqBwy3+KMerGk0z9RLPzzLQkBVeH5bQtqhZq43bI6Zf8jDqKlb1H+
+YhkgU4DsO0iPKvtIMEa31U9Qc2nQiIWjSk4v8gr5tcqoekynV4rKosTV1+GSRlkn
+l245GuOOE2PKVYn0jrUIn/IGzcMfORRH4/Sl/gy9ikYS70tykyJVoMplIeb1awMa
++FNAD17iNhaLOvuEfL5zCQtjXHyCRzReGxxmO9F2lN26Lr0MzM8k3bIrFTBVL/+n
+5pg6I6i8CXFWfpi08fP5KDU447AaBvdozm9L2JWIKaxjHev+NIy2Og2qtR34nBPH
+-----END RSA PRIVATE KEY-----
diff --git a/plugin/security/src/test/resources/org/elasticsearch/xpack/security/authc/saml/saml_with_password.p12 b/plugin/security/src/test/resources/org/elasticsearch/xpack/security/authc/saml/saml_with_password.p12
new file mode 100644
index 0000000000000000000000000000000000000000..a764c67fc2a4c30cd41a603aae76602f2301c25b
GIT binary patch
literal 2461
zcmV;O31apzf(e-d0Ru3C310>YDuzgg_YDCD0ic2jPy~VrOfZ58NHBr}{{{&vhDe6@
z4FLxRpn?PNFoFZ@0s#Opf&=9S2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=vl23P
zMLfng0s;sCfPw?Kuod69hm{Ez3#j+$iQ&P~P!Cj-J)@#2?hR1#M!7ZxhyjC-7f;+U
zjAs0<GbR3zsHM59E=Lip)>o4{vG_8hrfsM6Dflh~?t2Dy*EcTqkFL|HN*o{QuT;a*
z+?+W2+h?WE37uD1$i4*-5GXL4S9>1A7I~!pCMz8VMkyIfyjfUU^PL_ON*KwnEq38o
zS*Grt>iD98u8Kjmo?s%Kd2BZIZr3;utyJo&m^S6XRyIx6k?=mN6-E*Pji%E1f;hT<
z?DnbyO+H}av9ZdMFg8lPcw#!2b~sA=@2PM3?!V6481tMJfCA$w^%k)!*$D$hkXI%<
zFOU}C%)|&X_4Dxn!I0ixF<|6O*eyEh#_2b4?2LEMU~1XulY?~8Bi1}+`U<%~PZwz}
zSl`nM{q*NrpVyjCNL;@}5^1>nkp7PhHgorMzy~x_j=dI>$$}$m{ETvn@kJa}cqJFA
zRkHqzk?M`Bu!As}jE=UsAIG*Jg~$<qx}2r;)HmHO!<M1Thc1l^1V2~>G%ma^{uUkY
z>ng27!i9)FW$vy6*N|3ZCJ@$<2P@3g3?TDGudB%R?u%i`=C3y21-+YkX^cBC#t&>~
z>WlcmuwXSl1VvdEb1omDw27&BBN3V2Kr(6AQYF((p60m`oRp@i$s97&Rr1+)r@m2A
z?)1;c9MuZN+As}j*VZ$Fnv^&9X5M1pZQxlwDH@MP*az>z0o`0KBHRSyIzYJmL;;yK
zQvSb9`!+oV#<wB~fW{-c;WH1wtxACBfe+3t2WedT>@phvJvXK<vo^|Z3R;szPjxu{
zd8jYUlS-_1grFRk%9z9W!Y?TYgB<X>jDe5N|L`DLjf#F!<!|K=fV0Y*>|2?5BKAc<
z+!E9*!@O)WmZ&o%hmFZ3d$C6H_5EZRhk*Qu$u@}9I@*ou2BFR>T%S_s1rWcksSOQ^
zeW~`(cE$8CRVt(0#iUgyf2(vY!q;WyezX+qSc?UiDL)G`c<=JC>Vt)5D#~ko0*EMC
zt3ZsfOqgN^U#B>wWrsE1vFcCLck=AR-U$<QY%EoKpzDv#T;QJFJd15rHc$Vr&$X1+
zvzP>!V;W?r_F<NnO3_#wlr{lGo6<@ABM%iS>0a74IlCIwdfy^Gf#qx22tqRzfZ#_W
zIq-Fo1d-Q{bo<@NXR1Eb;${+Vdv+P{0Ct5BT%w4ktJbaNHck=3*$fD;8GI3}XO=E`
zMOjB4uE+8~4mZaKj}EUcW{>A0aIYylnwP2)FoFd^1_>&LNQU<f0S5t~f(0@Jf(0%x
zf(0rtf(0f93o3?4hW8Bt3<?1Ppn?SMFoFc?FdPO7Duzgg_YDCI0Ru1&1PE<#kb)1y
z6f*(>2ml0v1jsIp0$iP$1pU_1Yj7*0;#V`A@j>kD`MLK86(Fx#yVJ8-``<TASM5BB
z!1>dW|Iem%u9(08%s01z{9CYA+`;CL;T<Oh`-<6Xw4P0(tHg=XZ-Azdz*!{E2(uk2
zzsJo2h=rq8H^Aeh7W<e#h(?$lpgq#D@2=Mni-~DbJ<eg=t@>I;ohnDzYI@HMTRfM=
z@O8pvM4OPoecd&XNSN}`H*ECNm;bfBc5<hZH4<f+3J)G|Ah4vop9_|!P~o{uV*Z`P
zznt?a>~{@;fD`N^)7F~wO*zhK%=ujE5mrRYOh>@dM_!6G#Ua>td{j(a^G-7K71hQ6
z-V0IOyg)~HY)csiY!}0>qyAi^fQCZf`x=P*8x18Hvr1!_qYXU+Tp&IsWHX0GlvJ8g
z(l*)-cBOH91NM>pv0`+2V~iSgi$Z<uh}1Qq2Kf-o)VPSm0e@h;HR4kxRDMd)YHDCc
zkCpCcA;<p-vfmubE8Z-!W<qTStVj+=0H?Vu>31zD<xaXhSBR1M6LxB@IJ0h;6sYI%
zL_WL16e6jW5XS#v#<_dx7g5vwxl|}mS_FXZ{OCfHgcXznannhxS>>h^Dw?>FU0$zm
zO7M{*l)j$W&ZK<w$#ynpOL<_m4izOH-r7Jk=W8)BH~q3eGMl|T(_T4@fRAuvDVy5?
zX#Yh^Z*Dx;b(TC<#WIrWuk#`v*z0GS)py9nzhtDJ&fA@4FSEiPAN7{mqI8ObM25=-
z#M14HeT%-ih9y*G@fHL}YC?s#4u4^r8>-c$dQ>O8Cawxi8XT6wq?#35XT{a{3=2m-
zE6HvCRUrv}VS}~DXs-1V>M+pjR|s&pNC!3XL&x1f|I`D%`qQEtH;E5BhI4U}A7Uyh
zKAXH^wq!YT$eC`Z<uIPq3^vuQ$3~UH;xZ}7UoUT(6wLc=D-GajmqEG|N=M!|3ia2s
zc8hI!TVWDZ7m{iDPqY%~rn05LbLU_^&JanuncL!3X=!LDd#GOxz@SaHHim+9vnt)u
z+bLd|?cOQ>3G&2IokGf7wopU$j<`E0L;Ql`@ZU{;>2IJ=zn}P_R8B6TYVm&oQsCIj
zhh_X4MMJCXO&hucq5F0%FykP~>@Ys*tQITWR8*+rt%WxvV6Gw~`F#(-0GWhZ<+C8b
ziat*g+I|XUT~0tE3D02jE^r8UoL-g(7H-mPWTj9P$R3YFGbANFCmhU1D%g&?@N&OS
zO<+q`{<RTvzXZ<6xcgltV`v}_a!;p&f|5g%>&WQqtK3#ga}^fERPgg3D*M}Vty;{y
z<$gBp+=z1(+PpACj7ueBBLI<(;Y&F(R)6Y0(d_^P^s&~EqjZ2QI#b_|lcYMx>CC07
zMl7(`k1CnRTvWAawdlQ=W>fL|3#c?PmSL3RvBW?UM<W_dzx!@!)Fr{$2|a9Rd-Hcf
zN0<Qqcr>eM^sN>GB{Q_9tqe3n{GlBT^W``%DSFuEfy+H>cmw*_rw^df4-qs{IM648
zz_Zx!x{?IQJ7zVFHUz%Xs)&daUp*xpUGLt~SVxH2L;3ZlvQMRpk6xV_Ofyu$#uQU5
z_BR7MtxTf*^<5!P!4#F_RVex%cN)%ss2H<>CsOApJe!K%&iXMWFe3&DDuzgg_YDCF
z6)_eB6zNuOUmJ#UL>SW*%{xUoGP(#^l`t_dAutIB1uG5%0vZJX1Qe>-+0zdYc3s^p
b%ofuCQ+y>0N~;72$MpJ@5m<M60s;sCVs?k^

literal 0
HcmV?d00001